Page 1 of 2 12 LastLast
Results 1 to 15 of 27
  1. #1
    House's Avatar
    Join Date
    Mar 2010
    Gender
    male
    Posts
    2,990
    Reputation
    223
    Thanks
    8,953
    My Mood
    Cynical

    AlterMW3 = Malware?

    This has been posted on TG Blog ... read if you play at aIW

    Many of you have noticed we were under a heavy DDOS attack over the past week. After having fought it off pretty easily, we went out to investigate what kind of idiot would use his botnet for this kind of activity.

    Today it came to our attention that ntauthority used YOU, the people who play in alterMW3, to do his dirty work. Yes, he used all of you – over 60000 people, to DDOS our website.

    Below is a code snippet taken from AlterMW3′s “iw5m.dll” (the original, unmodified file is included with this post). The dll contains a thread function that runs constantly while you’re playing AlterMW3. What does it do? Well, it turns out it runs a DDOS attack on our website:


    .text:100EBF70 push ebp
    .text:100EBF71 mov ebp, esp
    .text:100EBF73 sub esp, 354h
    .text:100EBF79 mov eax, dword_1029C6D0
    .text:100EBF7E xor eax, ebp
    .text:100EBF80 mov [ebp+var_4], eax
    .text:100EBF83 push ebx
    .text:100EBF84 push esi
    .text:100EBF85 push edi
    .text:100EBF86 push 3
    .text:100EBF88 call sub_100BE567
    .text:100EBF8D add esp, 4
    .text:100EBF90 call sub_100BF381
    .text:100EBF95 mov [ebp+var_8], eax
    .text:100EBF98 cmp [ebp+var_8], 0
    .text:100EBF9C jz loc_100EC483
    .text:100EBFA2
    .text:100EBFA2 loc_100EBFA2:
    .text:100EBFA2 mov eax, 1
    .text:100EBFA7 test eax, eax
    .text:100EBFA9 jz loc_100EC483
    .text:100EBFAF push 0FAh ; delay for the thread loop
    .text:100EBFB4 call ds:Sleep
    .text:100EBFBA mov [ebp+var_108], 't' ; encrypted link to TG forums
    .text:100EBFC1 mov [ebp+var_107], 'h'
    .text:100EBFC8 mov [ebp+var_106], 'h'
    .text:100EBFCF mov [ebp+var_105], 'l'
    .text:100EBFD6 mov [ebp+var_104], '&'
    .text:100EBFDD mov [ebp+var_103], '3'
    .text:100EBFE4 mov [ebp+var_102], '3'
    .text:100EBFEB mov [ebp+var_101], 'k'
    .text:100EBFF2 mov [ebp+var_100], 'k'
    .text:100EBFF9 mov [ebp+var_FF], 'k'
    .text:100EC000 mov [ebp+var_FE], '2'
    .text:100EC007 mov [ebp+var_FD], 'h'
    .text:100EC00E mov [ebp+var_FC], 'y'
    .text:100EC015 mov [ebp+var_FB], 'w'
    .text:100EC01C mov [ebp+var_FA], 'r'
    .text:100EC023 mov [ebp+var_F9], 's'
    .text:100EC02A mov [ebp+var_F8], '{'
    .text:100EC031 mov [ebp+var_F7], 's'
    .text:100EC038 mov [ebp+var_F6], 'x'
    .text:100EC03F mov [ebp+var_F5], 'o'
    .text:100EC046 mov [ebp+var_F4], '2'
    .text:100EC04D mov [ebp+var_F3], ''
    .text:100EC054 mov [ebp+var_F2], 's'
    .text:100EC05B mov [ebp+var_F1], 'q'
    .text:100EC062 mov [ebp+var_F0], '3'
    .text:100EC069 mov [ebp+var_EF], 'l'
    .text:100EC070 mov [ebp+var_EE], 't'
    .text:100EC077 mov [ebp+var_ED], 'l'
    .text:100EC07E mov [ebp+var_EC], '~'
    .text:100EC085 mov [ebp+var_EB], '~'
    .text:100EC08C mov [ebp+var_EA], '3'
    .text:100EC093 mov [ebp+var_E9], 1Ch
    .text:100EC09A mov [ebp+var_20C], 0
    .text:100EC0A4 jmp short loc_100EC0B5

    .text:100EC0A4 jmp short loc_100EC0B5

    As you can see, this piece of code builds an encrypted string “thhl&33kkk2hywrs{sxo2.sq3ltl~~”. If we XOR this string with 0x1C, the result is “http://www.teknogods.com/phpbb”

    This is the exact URL that we got attacked at constantly (that is why we moved our forum to phpbb_a). You can thank ntauthority for making you a part of HIS private botnet. We’re wondering though, what else he has used you people for? TeknoGods would never do anything like this, because it is lame, way below our standards and not to mention illegal.

    Our dedicated servers work even when user is fully offline and do not require users to register for anything. Anyone can play from anywhere, anytime, offline and online (there are still a few bugs, but we’re working constantly to fix them).

    TL;DR: Altermw3 is a malware; ntauthority of alteriw.net is using altermw3 users for a DDoS (distributed denial of service) attack against our web page.

    If you’re a reverse-engineer, download the altermw3 ‘iw5m.dll’ malware here a see for yourself!

    PS. New version of T----MW3 is almost ready!

    LAST MINUTE UPDATE: Latest ‘iw5m.dll’ version of AlterMW3 connects to IRC – does it turn your computer into fully remotely controlled zombie PC? We strongly suggest: never trust AlterIW ever again.

    UPDATE #2:

    Log of lot of bots joining their channel: Paste2: Next Generation Pastebin - Viewing Paste 1898447 (Killed (http://irc.rizon.no (G-Lined: botnet not allowed on rizon)))

    G-Lines are always MANUALLY added.

    UPDATE #3:

    They admit it here:

    alterIWnet • View topic - What are you doing guys?

    UPDATE #4:

    Their propaganda response here: alterIWnet • View topic - Regarding Teknogods and AlterMW3

    Regards,
    - TG Team -
    Last edited by master131; 02-27-2012 at 11:44 PM.

  2. #2
    sflord90's Avatar
    Join Date
    Jan 2012
    Gender
    male
    Posts
    81
    Reputation
    10
    Thanks
    42
    My Mood
    Relaxed
    glad i never touched AlterMW3..


    trojans cant touch me though ..
    fuck this 90 day password expires shit

  3. #3
    aIW|Convery's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    2,876
    Reputation
    124
    Thanks
    595
    My Mood
    Cynical
    Technofags are just crying all the time. First it's us hacking their servers, then we are DDOSing, bribing feds to investigate their site and now we are a botnet.. But ye, if you want to go cheat on their servers instead then who am I to stop you =P

    Also, everything is taken out of context in an attempt to slander aIW. Hence the "I advice you to stay far away from alterIW! [and play on my service instead]".. Not to mention that I personally find it funny that the guy who are always shouting about how he's making an original project and wants donations for it REs every aIW file whenever it updates, for no reason of course as he's making his own version from scratch, right?

    I mean, it's not like he had a service just like aIW that he was going to release when enough people had donated to him and then never managed to release anything remotely useful.. and it's not like it took him 6 months to get a MW3 server semi-working while it took aIW 6 days..
    So there's no real reason for all the hate..
    Last edited by aIW|Convery; 02-08-2012 at 07:38 PM.

  4. #4
    House's Avatar
    Join Date
    Mar 2010
    Gender
    male
    Posts
    2,990
    Reputation
    223
    Thanks
    8,953
    My Mood
    Cynical
    I took this log by Wireshark 2 min ago and it seems to be true. AIW Client sent HTTP, SYN and TCP floods to the TeknoGods server IP. I dont claim anything but proof it is.


    If you still want to play on aIW I advise you to add this to your hosts file which wil block connecting to TG IP:
    Code:
    127.0.0.1 91.229.175.162
    127.0.0.1 teknogods.com

  5. #5
    aIW|Convery's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    2,876
    Reputation
    124
    Thanks
    595
    My Mood
    Cynical
    @House That was NTAs idea of a 'joke' and was in the code for a day and a half. The reason for this was because Teknofrauds cried about us DDOSing them for a whole week to cover up that their server couldn't even handle 100 players at the same time and to get attention as 'a competitor aIW has to do everything they can to compete with'. So NTA decided he wanted to show them what load really is and added that which was removed 32 hours later.

    We have openly apologized for that thread being in the code as no one but NTA knew about it, but Teknofrauds wont stop there and constantly claim that we are a huge botnet while linking to the posts about the DDOS where Jerbob says "it's true" to further establish those claims and accusations. His other 'proof' is users joining the IRC channel via aMW3, this is a feature that has been in aIW for almost a year but as soon as it's added to aMW3 it's concrete proof of being part of a botnet.
    It's worth noting that when ingame IRC was tested for aMW2 the users automatically joined the channel, exactly like how it was done today.

    All in all, if aIW would have been a botnet and we actually cared for his tiny project we could have kept his site down without any problems. In the old thread where some accused aIW of being a botnet because the client can receive commands from admins (kick user, print to console etc.) we calculated that aIW as a botnet would have a rough 270GB/s worth of upload speed. I can't think of any site that can handle that, yet here we are explaining instead of silencing everyone that is annoying.

    Again, if you want to cheat on a service with no anti-cheat or you're just falling for their propaganda then by all means go cheat on their service. aIW couldn't care less for what some cheaters believe as, let's be honest here, most cheaters here are kids that will believe anything. If I claimed that the Teknofrauds site is run by enchanted gerbils then quite a few would probably regard that as a fact.
    Last edited by aIW|Convery; 02-08-2012 at 08:33 PM.

  6. The Following User Says Thank You to aIW|Convery For This Useful Post:

    lolbie (02-09-2012)

  7. #6
    House's Avatar
    Join Date
    Mar 2010
    Gender
    male
    Posts
    2,990
    Reputation
    223
    Thanks
    8,953
    My Mood
    Cynical
    I think that regardless reason, duration and network usage/capacity, NTA (or anyone else responsible) mustn't have misused ability to control the network of users to commit actions they did not sign approval for and especially if those actions include illeagl activities like Denial of Service and private data exposure (IP addresses).

  8. The Following User Says Thank You to House For This Useful Post:

    CaptainSparklez (02-11-2012)

  9. #7
    aIW|Convery's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    2,876
    Reputation
    124
    Thanks
    595
    My Mood
    Cynical
    Quote Originally Posted by House View Post
    I think that regardless reason, duration and network usage/capacity, NTA (or anyone else responsible) mustn't have misused ability to control the network of users to commit actions they did not sign approval for and especially if those actions include illeagl activities like Denial of Service and private data exposure (IP addresses).
    Well, that's your opinion. I for one couldn't care less about the game opening a page as long as it wouldn't affect my computer in any way. Also, they didn't sign anything saying that the game is allowed to gather the MAC address and all that either..

  10. #8
    onemoar's Avatar
    Join Date
    Jun 2010
    Gender
    male
    Location
    sadsa
    Posts
    21
    Reputation
    10
    Thanks
    1
    My Mood
    Aggressive
    Quote Originally Posted by aIW|Convery View Post
    Well, that's your opinion. I for one couldn't care less about the game opening a page as long as it wouldn't affect my computer in any way. Also, they didn't sign anything saying that the game is allowed to gather the MAC address and all that either..
    its bullshit non the less and its exactly the kind of behavior I tried to warn people about time and time again
    regardless of the intention for it to be a "joke" the end result was a ddos attack PERIOD
    and I am not even gonna discuss the subject of abuse of trust and misuse of userbase resources
    what is really sad is this little flameware between teknotards and "assmassed idiots worldwide" aIW
    the only thing both of you have manged todo is prove that my inital judge of you people was right your all morons
    I mean seriously ? QC fail much .. all code should get at least a glance over before it rolls out ....
    I advise everyone to boycott AIW > or grab a aimbot and go trolling :3

    and saying "we are sorry' doesn't cut it
    Last edited by onemoar; 02-08-2012 at 10:03 PM.

  11. #9
    aIW|Convery's Avatar
    Join Date
    Oct 2010
    Gender
    male
    Posts
    2,876
    Reputation
    124
    Thanks
    595
    My Mood
    Cynical
    Quote Originally Posted by onemoar View Post
    its bullshit non the less and its exactly the kind of behavior I tried to warn people about time and time again
    regardless of the intention for it to be a "joke" the end result was a ddos attack PERIOD
    and I am not even gonna discuss the subject of abuse of trust and misuse of userbase resources
    what is really sad is this little flameware between teknotards and "assmassed idiots worldwide" aIW
    the only thing both of you have manged todo is prove that my inital judge of you people was right your all morons
    I mean seriously ? QC fail much .. all code should get at least a glance over before it rolls out ....
    I advise everyone to boycott AIW > or grab a aimbot and go trolling :3

    and saying "we are sorry' doesn't cut it
    How about just rooting every cheater instead of banning them then? Seems like a lot of fun, not to mention an effective way to keep them away.. I mean, as the kids that hate aIW (yet plays it everyday) and are just looking for a reason to go on a crusade telling the world how bad aIW is as soon as a single mistake is made then why not, they'll never drop it and will only ramp it up so saying 'aIW now roots the cheaters, don't want to be part of a botnet? don't cheat' would probably even bring us more 'legit' players while the cheaters will cry in their corners. Not to mention that they would be responsible for their UC site being down (you know, then one that couldn't even handle 2 bots)..

    Also, 'boycotting' a free service really has no effect, other than reducing the number of cheaters and therefore serverload.
    Last edited by aIW|Convery; 02-09-2012 at 02:26 AM.

  12. #10
    lolbie's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    Netherlands
    Posts
    5,207
    Reputation
    288
    Thanks
    2,090
    My Mood
    Angelic
    hehe
    I think it is pretty cool xD
    we are not in a botnet and still attacking a site :P

    He is just using a loop to ddos them
    how awesome xD
    I love it when people keep their agreements /sarcasm ftw

  13. The Following User Says Thank You to lolbie For This Useful Post:

    fog390 (02-13-2012)

  14. #11
    Rkafisking's Avatar
    Join Date
    Feb 2012
    Gender
    male
    Posts
    22
    Reputation
    10
    Thanks
    9
    Quote Originally Posted by House View Post
    I think that regardless reason, duration and network usage/capacity, NTA (or anyone else responsible) mustn't have misused ability to control the network of users to commit actions they did not sign approval for and especially if those actions include illeagl activities like Denial of Service and private data exposure (IP addresses).
    NT might think its funny, regardless your ISP could still ban u for DDos attacks. Couple of years back i had some malware and it sent out DDos attack aswel without me knowing. My ISP contacted me telling what was up and suggested me formatting my windows, saying if it would continue there would be a possibilty they would literallypull the plug. Thanks for the heads up house.

  15. #12
    lolbie's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    Netherlands
    Posts
    5,207
    Reputation
    288
    Thanks
    2,090
    My Mood
    Angelic
    Quote Originally Posted by Rkafisking View Post
    NT might think its funny, regardless your ISP could still ban u for DDos attacks. Couple of years back i had some malware and it sent out DDos attack aswel without me knowing. My ISP contacted me telling what was up and suggested me formatting my windows, saying if it would continue there would be a possibilty they would literallypull the plug. Thanks for the heads up house.
    you don't even have to worry this isn't even a real ddos + it is already gone
    I love it when people keep their agreements /sarcasm ftw

  16. #13
    House's Avatar
    Join Date
    Mar 2010
    Gender
    male
    Posts
    2,990
    Reputation
    223
    Thanks
    8,953
    My Mood
    Cynical
    Quote Originally Posted by lolbie View Post


    you don't even have to worry this isn't even a real ddos + it is already gone
    SYN flood - Wikipedia, the free encyclopedia

  17. The Following User Says Thank You to House For This Useful Post:

    Rkafisking (02-09-2012)

  18. #14
    Rkafisking's Avatar
    Join Date
    Feb 2012
    Gender
    male
    Posts
    22
    Reputation
    10
    Thanks
    9
    Quote Originally Posted by lolbie View Post


    you don't even have to worry this isn't even a real ddos + it is already gone
    I never worry but its still an invasion of my privacy.
    They shouldnt use my PC for a personal geek war.
    Honestly i dont even see how its a joke cause its not even funny.

  19. #15
    lolbie's Avatar
    Join Date
    Apr 2010
    Gender
    male
    Location
    Netherlands
    Posts
    5,207
    Reputation
    288
    Thanks
    2,090
    My Mood
    Angelic
    Quote Originally Posted by Rkafisking View Post
    I never worry but its still an invasion of my privacy.
    They shouldnt use my PC for a personal geek war.
    Honestly i dont even see how its a joke cause its not even funny.
    maybe if you knew more it was a pretty good action...
    but I am not going to say it
    I love it when people keep their agreements /sarcasm ftw

Page 1 of 2 12 LastLast

Similar Threads

  1. SOMEONE PLEASE HELP ME MALWARE/VIRUS'S ATTACK!
    By trueskiller in forum Anti-Malware
    Replies: 5
    Last Post: 08-13-2009, 04:56 PM
  2. Replies: 16
    Last Post: 04-12-2009, 05:55 PM
  3. [Free]Malwarebytes' Anti-Malware[Free]
    By PuRe in forum Anti-Malware
    Replies: 1
    Last Post: 01-08-2009, 10:17 AM
  4. Rules Of Anti-Malware
    By Xray3109 in forum Anti-Malware
    Replies: 0
    Last Post: 08-02-2008, 03:00 PM
  5. What is Malware?
    By Xray3109 in forum Anti-Malware
    Replies: 0
    Last Post: 08-02-2008, 02:48 PM